<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Granting privileges for indices and aliases | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'securing-aliases.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/securing-aliases.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/securing-aliases.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/securing-aliases.html" rel="nofollow" target="_blank">../en/securing-aliases.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="authorization.html">User authorization</a></span>
»
<span class="breadcrumb-node">Granting privileges for indices and aliases</span>
</div>
<div class="navheader">
<span class="prev">
<a href="field-level-security.html">« Field level security</a>
</span>
<span class="next">
<a href="mapping-roles.html">Mapping users and groups to roles »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="securing-aliases"></a>Granting privileges for indices and aliases<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authorization/alias-privileges.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<p>Elasticsearch allows to execute operations against <a href="indices-aliases.html" class="ulink" target="_top">index aliases</a>,
which are effectively virtual indices. An alias points to one or more indices,
holds metadata and potentially a filter. The Elasticsearch security features treat
aliases and indices
the same. Privileges for indices actions are granted on specific indices or
aliases. In order for an indices action to be authorized, the user that executes
it needs to have permissions for that action on all the specific indices or
aliases that the request relates to.</p>
<p>Let’s look at an example. Assuming we have an index called <code class="literal">2015</code>, an alias that
points to it called <code class="literal">current_year</code>, and a user with the following role:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "names" : [ "2015" ],
  "privileges" : [ "read" ]
}</pre>
</div>
<p>The user attempts to retrieve a document from <code class="literal">current_year</code>:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">GET /current_year/event/1</pre>
</div>
<div class="console_widget" data-snippet="snippets/1252.console"></div>
<p>The above request gets rejected, although the user has <code class="literal">read</code> privilege on the
concrete index that the <code class="literal">current_year</code> alias points to. The correct permission
would be as follows:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "names" : [ "current_year" ],
  "privileges" : [ "read" ]
}</pre>
</div>
<h4>
<a id="_managing_aliases"></a>Managing aliases<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authorization/alias-privileges.asciidoc">edit</a>
</h4>
<p>Unlike creating indices, which requires the <code class="literal">create_index</code> privilege, adding,
removing and retrieving aliases requires the <code class="literal">manage</code> permission. Aliases can be
added to an index directly as part of the index creation:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">PUT /2015
{
    "aliases" : {
        "current_year" : {}
    }
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1253.console"></div>
<p>or via the dedicated aliases api if the index already exists:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_aliases
{
    "actions" : [
        { "add" : { "index" : "2015", "alias" : "current_year" } }
    ]
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1254.console"></div>
<p>The above requests both require the <code class="literal">manage</code> privilege on the alias name as well
as the targeted index, as follows:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "names" : [ "20*", "current_year" ],
  "privileges" : [ "manage" ]
}</pre>
</div>
<p>The index aliases api also allows also to delete aliases from existing indices.
The privileges required for such a request are the same as above. Both index and
alias need the <code class="literal">manage</code> permission.</p>
<h4>
<a id="_filtered_aliases"></a>Filtered aliases<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authorization/alias-privileges.asciidoc">edit</a>
</h4>
<p>Aliases can hold a filter, which allows to select a subset of documents that can
be accessed out of all the documents that the physical index contains. These
filters are not always applied and should not be used in place of
<a class="xref" href="document-level-security.html" title="Document level security">document level security</a>.</p>
</div>
<div class="navfooter">
<span class="prev">
<a href="field-level-security.html">« Field level security</a>
</span>
<span class="next">
<a href="mapping-roles.html">Mapping users and groups to roles »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>